New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

In which release is CVE 2017-15095 fixed? #1847

Closed
appDeveloper888 opened this Issue Nov 30, 2017 · 7 comments

Comments

Projects
None yet
3 participants
@appDeveloper888

appDeveloper888 commented Nov 30, 2017

Hi all,

in which release is CVE 2017-15095 fixed?

best regards

@cowtowncoder

This comment has been minimized.

Show comment
Hide comment
@cowtowncoder

cowtowncoder Nov 30, 2017

Member

Please do not re-file same issue: I already answered #1837.

Member

cowtowncoder commented Nov 30, 2017

Please do not re-file same issue: I already answered #1837.

@appDeveloper888

This comment has been minimized.

Show comment
Hide comment
@appDeveloper888

appDeveloper888 Nov 30, 2017

appDeveloper888 commented Nov 30, 2017

@cowtowncoder

This comment has been minimized.

Show comment
Hide comment
@cowtowncoder

cowtowncoder Nov 30, 2017

Member

Ok I have no idea then. If you have a link to vulnerability could you add it?
I am typically not reported these vulnerabilities for some reason or another and only hear when someone points them. Not sure that's the way these should go; probably not.

Member

cowtowncoder commented Nov 30, 2017

Ok I have no idea then. If you have a link to vulnerability could you add it?
I am typically not reported these vulnerabilities for some reason or another and only hear when someone points them. Not sure that's the way these should go; probably not.

@cowtowncoder

This comment has been minimized.

Show comment
Hide comment
@cowtowncoder

cowtowncoder Dec 1, 2017

Member

Googling produced hits, but no good explanation other than suggestion black list is incomplete:

https://access.redhat.com/security/cve/cve-2017-15095

This could possibly refer to #1737 (included in 2.8.10 / 2.9.1) which adds last known potentially concerning cases. If there are other types to include they have not been reported to the project yet.

Member

cowtowncoder commented Dec 1, 2017

Googling produced hits, but no good explanation other than suggestion black list is incomplete:

https://access.redhat.com/security/cve/cve-2017-15095

This could possibly refer to #1737 (included in 2.8.10 / 2.9.1) which adds last known potentially concerning cases. If there are other types to include they have not been reported to the project yet.

@cowtowncoder

This comment has been minimized.

Show comment
Hide comment
@cowtowncoder

cowtowncoder Dec 1, 2017

Member

Ok. Yes, looks like #1737 is the main thing matching CVE-2017-15095.
Red Hat's bug tracker refers to 2 other issues which are sort of related:

  • #1723: no separate work, was basically question asking about CVE-2017-7525
  • #1680: block com.sun.rowset.JdbcRowSetImpl

So the answer here is that fix is in

  • 2.8.10
  • 2.9.1
Member

cowtowncoder commented Dec 1, 2017

Ok. Yes, looks like #1737 is the main thing matching CVE-2017-15095.
Red Hat's bug tracker refers to 2 other issues which are sort of related:

  • #1723: no separate work, was basically question asking about CVE-2017-7525
  • #1680: block com.sun.rowset.JdbcRowSetImpl

So the answer here is that fix is in

  • 2.8.10
  • 2.9.1
@DKumars

This comment has been minimized.

Show comment
Hide comment
@DKumars

DKumars Jan 31, 2018

Hi ,

Is this CVE 2017-15095 vulnerabilty fixed in 2.6.7.1 version ? Please confirm because we are using 2.6.1 version . if we move 2.8.10 then it gives us lot of dependency change in scala_module_2_11. Please confirm can we use 2.6.7.1 for this fix ?

DKumars commented Jan 31, 2018

Hi ,

Is this CVE 2017-15095 vulnerabilty fixed in 2.6.7.1 version ? Please confirm because we are using 2.6.1 version . if we move 2.8.10 then it gives us lot of dependency change in scala_module_2_11. Please confirm can we use 2.6.7.1 for this fix ?

@cowtowncoder

This comment has been minimized.

Show comment
Hide comment
@cowtowncoder

cowtowncoder Jan 31, 2018

Member

@DKumars No. You need to upgrade to a newer version, 2.8.10 or 2.9.1

Member

cowtowncoder commented Jan 31, 2018

@DKumars No. You need to upgrade to a newer version, 2.8.10 or 2.9.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment